b'           U.S. Department of\n                                                  Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of Controls            Date:    October 1, 2009\n           Over the Enterprise Services Center,\n           Department of Transportation\n           Report No. QC-2010-001\n\n  From:    Rebecca C. Leng                                    Reply to\n                                                              Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Assistant Secretary for Budget and Programs/\n            Chief Financial Officer\n\n           This report summarizes the results of our annual review of general, application,\n           and operational controls over the Department of Transportation\xe2\x80\x99s (DOT)\n           Enterprise Services Center (ESC). ESC is one of four federal service providers\n           designated by the Office of Management and Budget (OMB) to provide financial\n           management systems and services to other Federal agencies. ESC services include\n           accounting, financial management, systems and implementation support, customer\n           services, media solutions, telecommunications, and data center services for DOT\n           and other Federal organizations. In addition to serving DOT, ESC supports the\n           National Endowment for the Arts, the Institute of Museum and Library Services,\n           the Commodity Futures Trading Commission, and the Government Accountability\n           Office. ESC is staffed by Federal Aviation Administration (FAA) employees at\n           the Mike Monroney Aeronautical Center in Oklahoma City, under the direction of\n           the Department\xe2\x80\x99s Chief Financial Officer.\n\n           OMB requires Federal service providers to either (1) provide its user organizations\n           with an independent audit report on the effectiveness of internal controls or (2)\n           allow user auditors to perform appropriate tests of controls at the service\n           organizations. 1 This audit covered both the Delphi Financial Management\n           System and the Consolidated Automation System for Time and Labor Entry\n           (CASTLE) hosted at the ESC. CASTLE is used to support DOT operations only.\n\n\n\n           1\n               OMB Memorandum M-08-24.\n\x0c                                                                                 2\n\n\nThe audit was completed by Clifton Gunderson, LLP, of Calverton, Maryland,\nunder contract to the Office of Inspector General (OIG). OIG staff performed a\nquality control review of the audit work to ensure that it complied with applicable\nstandards. These standards include generally accepted government auditing\nstandards and American Institute of Certified Public Accountant\xe2\x80\x99s Statement on\nAuditing Standards\xe2\x80\x9370 (SAS-70). SAS-70 requires auditors to determine whether\n(1) management fairly presented its description of controls, (2) suitably designed\nthe described controls, and (3) effectively implemented the controls. In our\nopinion, Clifton Gunderson\xe2\x80\x99s audit work complied with these standards.\n\nClifton Gunderson concluded that management presented its description of ESC\ncontrols fairly in all material respects, and that the controls, as described, were\nsuitably designed for all stated control objectives. With regard to implementation,\nClifton Gunderson found that the tested controls were operating with sufficient\neffectiveness to provide reasonable, but not absolute, assurance that the control\nobjectives specified by management were achieved from October 1, 2008, through\nJune 30, 2009. However, the report highlighted two exceptions to this finding:\nineffective access controls and inadequate segregation of duties. Ineffective\naccess controls allowed CASTLE database administrators (DBA) to share\nprivileged system access and provided no evidence that system activity logs were\nbeing reviewed. Inadequate segregation of duties allowed one development DBA\nto read any table within the production environment as well as to access the\nproduction database. Clifton Gunderson made recommendations to correct these\ncontrol deficiencies.\n\nClifton Gunderson made additional recommendations to DOT management for\nimproving controls in service continuity, configuration management, security\nmanagement, and other areas. We agree that implementing these recommendations\nwill further enhance controls over ESC operations and have included these\nrecommendations in the Exhibit.\n\nIn a September 30, 2009, response to OIG, the Acting Deputy Chief Financial\nOfficer concurs with the recommendations and committed to implementing\ncorrective actions (see the Appendix in this report).\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response\nto Clifton Gunderson\xe2\x80\x99s recommendations are subject to audit follow-up. Clifton\nGunderson performed additional testing and provided a follow-up management\nletter to OIG on September 30, 2009, reporting no significant changes to the\ncontrol environment between July 1, 2009, and September 30, 2009. Clifton\nGunderson\xe2\x80\x99s follow-up letter did not include any further corrective actions.\n\x0c                                                                              3\n\n\nWe appreciate the courtesies and cooperation of FAA, ESC, the Office of the\nSecretary of Transportation, and Clifton Gunderson representatives during this\naudit. If you have any questions concerning this report, please call me at (202)\n366-1407 or Nathan Custer, Program Director, at (202) 366-5540.\n\nAttachments\n\n                                       #\n\n\ncc: Chief Information Officer, DOT\n    Assistant Administrator for Financial Services/CFO, FAA\n    Assistant Administrator for Information Services/CIO, FAA\n    Assistant Administrator for Region/Center Operations, FAA\n    Director, Mike Monroney Aeronautical Center, FAA\n    Martin Gertel, M-1\n    Anthony Williams, ABU-100\n\x0c                                                                                 4\n\n\nEXHIBIT. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\nThe following recommendations were made by Clifton Gunderson, LLP, in its\n2009 independent auditor\xe2\x80\x99s report on the review of general, application, and\noperational controls over the DOT ESC. OIG agrees that DOT management\nshould implement the following actions to enhance ESC controls.\n\n                               Access Controls\n    Ensure that procedures are developed for regularly reviewing Database\n    Administrator activity by non-Database Administrator personnel. Also,\n  1\n    management should document the review of Database Administrator\n    activity.\n    Ensure there is a process in place which requires the security officers to\n  2 submit Kintana requests requesting reactivation of Delphi user accounts\n    to include duration of reactivation period. Closed in followup.\n    Ensure the Delphi bi-weekly report runs in a consistent manner without\n  3\n    interruption. Closed in followup.\n    Ensure the Delphi Information System Security Officer (ISSO) and her\n  4 team performs quarterly Delphi user access recertifications in a timely\n    manner. Closed in followup.\n    Develop a process that monitors Security Officers\xe2\x80\x99 compliance with user\n  5 recertification and implement measures for non-compliance. Closed in\n    followup.\n    Eliminate the usage of generic user and system level accounts in ESC\n  6 PRISM, thereby enforcing appropriate user accountability. Closed in\n    followup.\n    Ensure that access authorization forms are completed and documented for\n  7\n    all users requiring access to ESC systems.\n    Consider increasing the frequency of server vulnerability scans; require\n  8 each new, upgraded, or restored system to be scanned for vulnerabilities\n    prior to being placed in production.\n                            Segregation of Duties\n    Ensure that Database Administrators have named accounts for the proper\n  9\n    segregation of duties and user accountability.\n                             Service Continuity\n 10 Develop an ESC-wide Continuity of Operations Plan.\n    Develop a tailored plan for the Office of Customer Services (AMO) to\n    meet the standards identified in NIST SP 800-34. The plan should also\n 11\n    be updated at least on an annual basis to reflect AMO\'s current\n    environment.\n\n\n\nExhibit. Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                  5\n\n\n\n                           Configuration Management\n      Ensure that definitive time frames are in place for the application of\n 12   Oracle critical patch updates (CPU) or document the testing results that\n      indicate the incompatibility of each CPU.\n      Maintain updated baseline configuration information for all systems and\n 13\n      use the updated information to address known vulnerabilities.\n                              Security Management\n      Ensure that all Memoranda of Understanding are renewed and approved\n 14\n      with appropriate authorizing signatures prior to expiration.\n      Implement proper mechanisms to ensure that the separation process is\n 15   followed appropriately for every separating employee/contractor and that\n      all exit clearance forms are properly filled out and maintained.\n      Ensure that the Delphi Information System Security Plan is updated and\n 16   formalized with current personnel responsible for security, in accordance\n      with federal guidance. Closed in followup.\n\n\n\n\nExhibit. Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                           6\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\n                             September 30, 2009\n\n\nMEMORANDUM TO:               Rebecca C. Leng\n                             Assistant Inspector General\n                             for Financial and Information Technology Audits\n\n\n\nFROM:                        Lana Hurdle\n                             Office of the Assistant Secretary for Budget and\nPrograms/CFO\n                             Acting Deputy Chief Financial Officer\n\nSUBJECT:                     Management Response to the SAS 70 Audit of ESC\xe2\x80\x99s\nServices                                 Information Security Controls\n\n\nThank you for the Statement on Auditing Standards (SAS) 70 audit of Oklahoma City\xe2\x80\x99s\nEnterprise Services Center\xe2\x80\x99s (ESC) Information Security Controls. The Department\nappreciates the Office of Inspector General\'s (OIG) coordination and Quality Control\nReview of Clifton Gunderson\'s SAS 70 audit, which offers considerable insights that\nenable us to further improve our already strong management and controls over financial\nsystems in this ever-changing cyber security environment.\n\nThe Department concurs with Clifton Gunderson\xe2\x80\x99s recommendations and has identified\ncorrective actions to remediate the findings (see attachment). Consistent with past\npractices, ESC has worked with the auditors throughout this year\xe2\x80\x99s SAS 70 audit to identify\nand schedule corrective actions as audit findings are documented, to ensure swift and\nappropriate management action.\n\nThe Department appreciates the assistance you and your staff have provided throughout the\nSAS 70 process. The SAS 70 process helps to ensure that ESC continues to strengthen the\ndesign and implementation of all controls of our shared service offerings every year, and\nwe look forward to your continued help and support.\n\nAs a Federal Shared Service Provider (FSSP) designated by the Office of Management\nand Budget (OMB) to provide a state-of-the-art financial system and quality accounting\nservices to other Federal agencies, ESC has demonstrated its strong commitment to\nensuring that it\xe2\x80\x99s Financial Management Services meet or exceed all information security\nrequirements.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                              7\n\n\n\n\nThank you for your continuing support and assistance in this effort.\n\nAttachment: Corrective Action Plan\n\ncc:\nMaria Dowds, Joann Adam, Laurie Howard, Wendy Calvin, Terry Burke, Lindy Ritz, Stan\nSieg, Marshal Gimpel, Mike Upton, Sara Smith, Keith Burlison, Bo Peeler, Mike Myers,\nSteve Aube, Robert Stevens, Janet Shell, Nina Boyle, Kent Mitchell\n\nB30:WCalvin:mv:9-30-09\nHdrive/mvicks\nMEMOMgmtResponsetoSASAuditofESCServiceWendyC.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                            8\n\n\n                                                                                 Attachment\n\nCorrective Action Plan\nFor ESC\xe2\x80\x99s FY 2009 SAS-70 Audit\n\nNFR #03: Delphi Terminated User Account Deactivation\nCG Recommendation 2: There is a process in place, which requires the Security Officers\nto submit Kintana requests for reactivation of Delphi user accounts to include duration of\nreactivation period.\n\nManagement Response: A revised process was implemented on April 27, 2009, for\nreactivation of deactivated users. Delphi security officers are required to enter a Kintana\nrequest providing justification for user account reactivation. The users will be reactivated\nfor 24 hours only. At the time of reactivation, the end-date is entered so the user account is\ndeactivated in 24 hours. If security officer requests the user account be active for longer\nthan 24 hours, additional justification is required. This action is complete.\n\nCG Recommendation 3: The Delphi bi-weekly report runs in a consistent manner without\ninterruption.\n\nManagement Response: The Delphi bi-weekly report program has been automated as of\nMay 5, 2009. This action is complete.\n\nNFR #04: Delphi MoUs\nCG Recommendation 14: We recommend ESC management ensures all Memorandum of\nUnderstanding (MOU\'s) are renewed and approved with appropriate authorizing signatures\nprior to expiration.\n\nManagement Response: A new process has been implemented to monitor MOU\xe2\x80\x99s for\nDelphi systems. The ISSO will seek to have an MOU approved and signed by the systems\nAuthorizing Official prior to the expiration of an existing MOU. If the MOU has not been\nsigned within 30 days of expiration it will be elevated to the Authorizing Official to be\ndisconnected or for a risk acceptance. The revised estimation completion date is\nSeptember 30, 2009. POC: Carol Moffat.\n\nNFR #05: Employee Termination\nCG Recommendation 15: ESC Management should implement proper mechanisms to\nensure the separation process is followed appropriately for every separating\nemployee/contractor and all exit clearance forms are properly filled out and maintained.\n\nManagement Response: In coordination with the Aeronautical Center Director (AMC-1),\nHuman Resource Management (AMH), and Office of Acquisition Services (AMQ), ESC\nimplemented a cross-MMAC initiative to address this issue campus-wide, including all\norganizations and tenants resident on the MMAC campus. This includes reviewing and\nupdating clearance processes, if needed, to ensure the out-processing forms are properly\nfilled out and maintained for separating MMAC-wide employees/contractors. This action\nwas completed on September 1, 2009. POC: Kent Mitchell.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                           9\n\n\nNFR #07: Delphi User Access\nCG Recommendation 4: Ensure the Delphi ISSO and her team performs quarterly Delphi\nuser access recertification\'s in a timely manner.\n\nManagement Response: The Delphi Quarterly Reports became online reports in July,\n2009. The Delphi Security Officers (SO) are able to run these reports in real time.\n\nEach quarter the ISSO will send the SO\xe2\x80\x99s an e-mail, copying their manager, requiring them\nto verify they have reviewed all their user accounts. Confirmation is required for all valid\naccounts. A Kintana request must be submitted for modifying user accounts or deleting\ninvalid user accounts.\n\nNoncompliance from the SO\xe2\x80\x99s will cause a second e-mail to be sent directly to their\nmanagers. It will then become their manager\xe2\x80\x99s responsibility to ensure the SO responds in\na timely manner to the ISSO. If the ISSO does not receive a response from the SO within a\ntimely manner, the Operating Administration (OA) Chief Financial Officer (CFO) and the\nDepartment of Transportation (DOT) ISSM will be notified by the ISSO.\n\nSpecifically, the following actions will be implemented:\n\n   1. Implementation of a real time online user account report which SO\xe2\x80\x99s can run daily,\n      if desired.\n\n           a. Each quarter the ISSO will send the SO\xe2\x80\x99s an email, copying their manager,\n              requiring them to verify they have reviewed all their user accounts.\n              Confirmation is required for all valid accounts. A Kintana must be\n              submitted for modifying user accounts or deleting invalid user accounts.\n\n           b. Noncompliance from the SO\xe2\x80\x99s will cause a second e-mail to be sent directly\n              to their managers. It will then become their manager\xe2\x80\x99s responsibility to\n              ensure the SO responds in a timely manner to the ISSO.\n\n   2. Training for all Delphi SO\xe2\x80\x99s prior to the online user account program going into\n      production.\n\n   3. Investigate requiring Delphi SO\xe2\x80\x99s and their managers to take yearly refresher\n      training as a requirement for their position.\n\n   4. Require Rules of Behavior be signed yearly by SO\xe2\x80\x99s and their managers listing the\n      requirements of their positions.\n\nRevised estimated completion date is September 30, 2009. POC: Carol Moffat.\n\nCG Recommendation 5: Develop a process that monitors Security Officers compliance\nwith user recertification and implement measures for non-compliance.\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                         10\n\n\nManagement Response: Management agrees the process can be strengthened but does not\nagree with the recommendation since the following existing processes are in place.\n\nTo further strengthen the process, ESC will ensure that the Delphi incompatibility reports\nare run and followed up on a timely basis.\n\nProcesses have been implemented, due to prior audit findings, to monitor Delphi Security\nOfficers (SO) compliance for user recertification including:\n\n   1. Running the Delphi Incompatibility Report\n\n           a. Run weekly for verification of incompatibilities based on the Delphi Roles\n              and Responsibility Matrix\n\n   2. Purchasing and implementing \xe2\x80\x9cSox Out of the Box\xe2\x80\x9d\n\n           a. COTS package that automatically checks for user compliance\n\n   3. Developing and implementing the Delphi Biweekly Auto-Termination program\n\n           a. This program checks for invalid user accounts. It matches employee records\n              against terminated employee files to validate user accounts. In addition, the\n              user accounts that are listed in the report are manually verified by the ISSO.\n              Kintana\xe2\x80\x99s are submitted for any user accounts that are not end-dated.\n\nThe revised estimated completion date is September 30, 2009. POC: Carol Moffat.\n\nNFR #08: ESC Prism User Accounts\nCG Recommendation 6: ESC management should eliminate the usage of generic user\nand system level accounts in ESC PRISM, thereby enforcing appropriate user\naccountability.\n\nManagement Response: The ESC PRISM generic user accounts, "SYSADMIN" and\n"SITEADMINGAO", were deactivated when identified by the audit team. ESC has\nimplemented auditing of the ESC PRISM user accounts on a monthly basis. This action\nwas completed by April 20, 2009. POC: Carol Moffat.\n\nNFR #09: COOP\nCG Recommendation 10: Develop an ESC-wide Continuity of Operations Plan, as well\nas a tailored plan for the Office of Customer Services (AMO) to meet the standards\nidentified in NIST SP 800-34. The plan should also be updated at least on an annual basis\nto reflect AMO\xe2\x80\x99s current environment.\n\nManagement Response: ESC concurs that a COOP is needed for ESC, including two of\nESC\'s directorate level organizations (AMO, and AMZ). ESC\'s AMI organization will lead\nthe completion of these COOP\'s. The project, which started in April 2009, is expected to\n\n\n\n\nAppendix. Management Comments\n\x0c                                                                                         11\n\n\nlast approximately six (6) months. This will be completed by October 31, 2009. POC:\nCharles Hall.\n\nNFR #10: DBA Accounts\nCG Recommendation 9: ESC management ensure that CASTLE, Delphi and ESC Prism\nDBA have named accounts for the proper segregation of duties and user accountability.\n\nManagement Response: A single Oracle system level account (not a named user account)\nwas shared on CASTLE. The user\xe2\x80\x99s privileges that had access to this account were\nrevoked on August 5. Named accounts will be created for DBAs that support ESC PRISM,\nCASTLE, and Delphi. Rules of behavior for DBA\xe2\x80\x99s will be updated to reflect that only\nnamed accounts will be used except in special circumstances. The estimated completion\ndate is October 31, 2009. POC: Christopher Carl.\n\nCG Recommendation 1: ESC management should ensure that procedures for regularly\nreviewing DBA activity by non DBA personnel. Also, management should document the\nreview of DBA activity.\n\nManagement Response: The Work Instructions for systems monitoring will be updated.\nThis will allow read access and restricted mode session access to be revoked. The\nestimated completion date is October 31, 2009. POC: Christopher Carl, AMI-310.\n\nWe concur with the condition that proof of audit review for CASTLE and ESC PRISM was\nnot provided and that reviews were not conducted by non-DBA personnel regularly.\n\nThe procedures will be updated where needed and automated tools will be implemented, so\nthat non-DBA personnel review DBA activity with subsequent reviews by management.\nThe estimated completion date has moved up to December 31, 2009. POC: Christopher\nCarl.\n\nCG Recommendation 12: ESC management should ensure that definitive timeframes are\nin place for the application of ORACLE CPUs or document the testing results that\nindicated incompatibility of each CPU.\n\nManagement Response: The Delphi Oracle patches (July 2008) referenced from within the\nRisk Acceptance was applied in February 2009. Patches from October 08 and January 09\nhad been reviewed and documented according to the CPU Patch work instruction,\nAMEWI-0001. This documentation was provided within the PBC requests.\n\nThe CPU patch work instruction, AMEWI-0001, is in the process of being updated to\ninclude a formal CPU patch review document to assist us with prioritizing the CPU patches\ninto our release schedule. This documentation will be complete by October 31, 2009.\nPOC: Michelle Overstreet, AME-210.\n\nData from the NGSSquirrel scan will be analyzed to determine if enhanced named and\nsystem account auditing can be enabled. If any additional system account audits are\nidentified, they will be enabled after being tested. The estimated completion date has\nmoved up to December 31, 2009. POC: Christopher Carl.\n\n\nAppendix. Management Comments\n\x0c                                                                                           12\n\n\n\nNFR #12: Telecommunications LAN & Voice\nCG Recommendation 8: Management should consider increasing the frequency of server\nvulnerability scans; require each new, upgraded, or restored system to be scanned for\nvulnerabilities prior to being placed in production.\n\nManagement Response: ESC is currently scanning its servers multiple times a month with\nFoundStone, the DOT/FAA enterprise vulnerability scanning tool. A quarterly Nessus scan\nis also performed on the servers supporting Delphi, CASTLE and ESC PRISM.\n\nESC will create a policy memo for ESC supported systems to follow. The memo shall\nrequire system administrators to request vulnerability scan for new servers, or any existing\nserver undergoing major upgrades or being restored before the server can be placed back\ninto production. This action was completed July 31, 2009. POC: Huey Grantham, AMI-\n510.\n\nCG Recommendation 13: Management should maintain updated baseline configuration\ninformation for all systems and use the updated information to address known\nvulnerabilities.\n\nManagement Response: ESC is working on a process for baseline configuration\ninformation. The ESC System Management Facility (SMF) is implementing the CiRBA\n(Configuration item Request Broker Architecture) baseline configuration for servers\nmanaged by the ESC SMF. The estimated completion date for the CiRBA baseline\nconfiguration implementation is December 31, 2009. POC: Huey Grantham, AMI-510.\n\nNFR #13: ESS/Delphi\nCG Recommendation 16: The Delphi Information System Security Plan be updated and\nformalized with current personnel responsible for security in accordance with federal\nguidance.\n\nManagement Response: The Delphi Information System Security Plan (ISSP) has been\nupdated to identify current personnel responsible for security for Delphi. The estimated\ncompletion date is October 16, 2009. POC: Carol Moffat, AMI-510.\n\nCG Recommendation 7: ESC management ensures access authorization forms are\ncompleted and documented for all users requiring access to ESC systems.\n\nManagement Response: ESC Management agrees that access authorization forms must be\ncompleted and documented. The Kintana access authorization process is in place with\nrequests documented and available for audit. The process has been managed by the Delphi\nApplication Administrators since January 2009, to ensure access request forms are\ncompleted and maintained. The estimated completion date is October 16, 2009. POC:\nCarol Moffat, AMI-510.\n\n\n\n\nAppendix. Management Comments\n\x0c'